Network security management is becoming a more difficult problem as networks grow in size and become a more integral part of organizational operations. Attacks on networks are growing both due to the intellectual challenge such attacks represent for hackers and due to the increasing payoff for the serious attacker. Furthermore, the attacks are growing beyond the current capability of security management tools to identify and quickly respond to those attacks. As various attack methods are tried and ultimately repulsed, the attackers will attempt new approaches with more subtle attack features. Thus, maintaining network security is on-going, ever changing, and an increasingly complex problem.
Computer network attacks can take many forms and any one attack may include many security events of different types. Security events are anomalous network conditions each of which may cause an anti-security effect to a computer network, Security events include stealing conventional or private information; producing network damage through mechanisms such as viruses, worms, or Trojan horses; overwhelming the network's capacities in order to cause denial of services, and so forth.
Network security-risk-assessment tools, i.e. “scanners,” may be used by a network manager to simulate an attack against computer systems via a remote connection. Such scanners can probe for network weaknesses by simulating certain types of security events that make up an attack. Such tools can also test user passwords for suitability and security. Moreover, scanners can search for known types of security events in the form of malicious programs such as viruses, worms, and Trojan horses.
During the course of scanning, a scanner may implement various policies in response to a security event or the threat of a security event. Such policies may include blocking predetermined files, blocking e-mail messages exhibiting certain criteria, changing passwords, and/or any other reaction to a known security event. In conventional network security systems, such policies are often maintained until the security event or threat no longer applies. Prior Art FIG. 1 illustrates the manner in which at least one policy 10 is maintained until the security event is non-existent.
By following such simplistic approach to triggering policies and policies in general, various problems may arise. For example, if separate security events trigger different policies that conflict, there is currently no way of dealing with such conflict. Other problems include the fact that policies associated with a serious “high-risk” security event may be disabled after the security event is terminated. In such situations, it may be more suitable to maintain such defensive policies for a period that is not necessarily a function of the immediate presence of the security event.